From: Jerome Athias (jerome.athias@free.fr)
Date: Tue Oct 10 2006 - 04:18:03 EDT
Hi Joseph,
that's a nice idea
as you speak about the MetaSploit Framework, i would like to give you
some information i know
you'll find a lot of usefull information in the MSF Developers Guide:
http://metasploit.com/projects/Framework/msf3/developers_guide.pdf
look also, in example, to the "ips_filter.rb" plugin of the MSF3 and to
the "passive" exploits concept (see the last IE's exploits of HDM ;-))
see also the Thermoptic Camouflauge: Total IDS Evasion (Brian Caswell
and H D Moore)
http://metasploit.blogspot.com/2006/06/black-hat-2006-and-defcon-14.html
My 2 euro cents
/JA
Good luck!
Joseph McCray a écrit :
> I was talking with a buddy of mine on the subject of IDS evasion. We
> were going on and on about how none of the old techniques really work
> anymore (substitution/obfuscation/session splicing/fragmentation, blah
> blah blah). I was an IDS monkey in a former life - maybe I'm just a
> glutton for punishment.
>
> There is a bunch of new stuff on the subject that really isn't all that
> well documented (AT LEAST NOT FOR FREE). Everybody charges for this kind
> of info these days - hey who am I to complain - I charge for teaching
> hacking too right? So I figured why not start an IDS/IPS Evasion
> research project of my own.
>
> I figured I could give a shout out to you guys here on the pentest/ids
> lists to help me try out some different open source tools against a few
> I{D|P}Ss, maybe even write a few new tools too, and we can see for
> ourselves what lights up and what doesn't. Now of course you know we'll
> start with Snort as it is by far the most accessible and the easiest to
> find competent users.
>
> Things I'm really interested in digging into:
> 1. Specifically which of the older IDS evasion techniques still work
> against modern I{D|P}Ss.
> 2. What types of tricks can we do with metasploit to evade I{D|P}Ss (and
> get it documented)
> 3. Solidifying, and expanding Renaud Bidou's good work on the subject
> 4. Nail down Firewall/IDS testing specifics for packet crafting tools
> like:
> * hping
> * scapy
> * rubyforger
> * isic
> * nemesis
> * Paketto Keritsu
>
> If you are interested in working on this send me an email. Won't be able
> to start for a week or two, but I can start getting the attack host and
> some targets ready during that time. We'll all figure out how we want to
> build/configure the test network.
>
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:10 EDT